I am doing the following search on Splunk 4.3.6 search head:
sourcetype="WinEventLog:Security" EventCode=5136 Class=groupPolicyContainer | eval DN=replace(DN,"}","},") | ldapfilter domain=$Account_Domain$ search="(distinguishedName=$DN$)" attrs=displayName
The idea is to get the display name of the modified GPO. The search produces the expected results. However, when I try to pipe the result to a table like this:
| table Account_Name,displayName
the displayName column is empty.
What am I doing wrong?
Thanks.
... View more